Using an external directory

This feature was not part of the security target.

Various features, including administrator authentication, require connection to a directory. When this directory is outside the SNS firewall, the security (confidentiality and integrity) of traffic exchanged must be guaranteed and appliances (firewall, administration server and directory server) must be authenticated. Otherwise, attackers would be able to obtain information about the connection.

R28 | SNS-SMC | Configure the LDAP securely
If the LDAP service is configured:
  • The LDAPS protocol should be used, as the LDAP server presents a certificate that has been signed by a controlled PKI.

  • The corresponding CA should be imported on the SNS firewall or the SMC server,

  • The CA imported earlier should be used to validate the connection to the LDAP server.

Authentication from an external directory can be set up in several steps:

  • Enable the use of the directory (Configuration > Users > Directory configuration), choose its type then configure access:

    • The address of the directory,

    • The base DN,

    • The communication port,

    • The login and password of the SNS firewall’s access account on the directory. This account must comply with recommendation R8.

    • Password hash.

  • Specify the structure of the directory (Structure tab). The attributes that SNS firewalls manage must be mapped to those in the LDAP directory. The Stormshield member attribute in particular, which contains the list of identifiers belonging to a group, must match its equivalent in the LDAP directory.

  • Set LDAP as the default authentication method (Configuration > Users > Authentication).